5. Set up account lockout after failed password attempts - verachell/Simple-rails-tryout-app-using-devise GitHub Wiki

Want to lock out user after a certain number of failed password attempts. This helps protect to some degree against brute force password attempts.

To add account lockout, see https://github.com/heartcombo/devise/wiki/How-To:-Add-:lockable-to-Users

Therefore first, on app/models/user.rb make sure :lockable is uncommented (change if needed)

Then configure in config/initializers/devise.rb There are several different options of how to configure lockable, so here is just 1 example using the number of failed attempts. Note that you can opt to send an unlock link to email, which is not done here in this basic example just using time-based unlock.

Uncomment the following lines:

config.lock_strategy = :failed_attempts

config.unlock_keys = [:email]

config.unlock_strategy = :time
config.maximum_attempts = 4
config.unlock_in = 1.hour

Then continue with the next steps (from the devise tutorial link given above):

rails g migration add_lockable_to_devise

This creates a file in db/migrate/[...]add_lockable_to-devise.rb. If you didn't already have :lockable in your original User model, add extra lines in it as follows. We did have :lockable then so don't need these extra lines. This is for if you didn't use lockable in your user model and decided to add it later:

class AddLockableToDevise < ActiveRecord::Migration
  def change
    add_column :users, :failed_attempts, :integer, default: 0, null: false # Only if lock strategy is :failed_attempts
    add_column :users, :locked_at, :datetime

    # Add these only if unlock strategy is :email or :both
    add_column :users, :unlock_token, :string
    add_index :users, :unlock_token, unique: true
  end
end

then do rake db:migrate

then restart server

Check that this works.